Phishing email delivers an ISO attached as request.doc that unpacks a CHM loader and Vidar payload. Vidar collects system and browser data, downloads dependencies from Mastodon-based C2, and can fetch additional malware from the same infrastructure. #Vidar #CH…
Category: Threat Research
The article surveys how crypto phishing relies on malvertising, social media campaigns, and fake wallet prompts to steal seed phrases, wallets, and NFTs—from Ledger impersonations to Vitalik Buterin fakery and ApeCoin scams. It also highlights techniques like …
Vidar emerged in 2018 as a copycat of Arkei and has spawned Oski Stealer and Mars Stealer variants. The diary traces how these families rely on legitimate DLLs hosted on their C2 servers and exfiltrate data as zip archives via HTTP POST. #Vidar #OskiStealer #M…
TRU and BreakPoint Labs uncovered a Conti affiliate operating an automated Cobalt Strike infrastructure, exposing new domain names, IP addresses, and emails used for command-and-control. The findings link Conti operations to Trickbot, BazarLoader, IcedID, Five…
Avast Threat Labs connects Meris, TrickBot, and Glupteba campaigns to a single C2 that covertly controls roughly 230,000 MikroTik routers in a botnet-as-a-service. The research traces exploitation of CVE-2018-14847, wides…
Avast researchers uncovered a password stealer disguised as a private Fortnite server, distributed primarily via Discord with TikTok tutorials guiding victims to download it. The campaign targets Russian gamers, stealing credentials and other information saved…
AvD crypto stealer is a disguise for a Clipper variant that reads and edits clipboard content to swap crypto wallet addresses. The actor offers one month of free access to attract more users, with targets including other threat actors and six supported chains.…
AhnLab ASEC reports ClipBanker being distributed as a malware-creation tool on a site called “Russia black hat,” with attackers bundling both malware and the tool (Quasar RAT builder). The dropper uses crack.exe to launch ClipBanker, which then runs in the bac…
Researchers at ESET uncovered an ongoing Mustang Panda operation using a new Korplug variant, Hodur, noted for its aggressive anti-analysis and memory-only loading chain. The campaign uses European-current-events decoys to target diplomatic missions, research …
Security researchers at ASEC uncovered BitRAT distributed via Korean webhards, masquerading as a Windows license verification tool. The attack chain uses a multi-stage dropper that hides a downloader, which then fetches BitRAT and broader capabilities, includi…
APT35 (PHOSPHORUS/UNC2448) leveraged Microsoft Exchange ProxyShell vulnerabilities to gain initial access, deploy web shells, and perform post-exploitation tasks, including credential dumping and payload deployment. The activity appears scripted and automated,…
ASEC uncovered malware distributed as Windows Help Files (.chm) aimed at Korean users, delivered via compressed email attachments. When opened, the CHM dropper spawns VBScript and PowerShell payloads, persists through a Run key, and downloads a second-stage do…
Threat researchers describe a first-stage spearphishing campaign targeting luxury hotels in Macao that used a password-protected Excel file with macros to drop and execute further payloads via scheduled tasks and PowerShell. The operation, attributed to DarkHo…
BlackBerry Threat Intelligence identifies LokiLocker as a new RaaS ransomware family that encrypts Windows files using AES-256 and RSA-2048, with virtualization protection via KoiVM/NETGuard to hinder analysis. The campaign also features a possible false-flag …
Proofpoint details a targeted French campaign delivering a backdoor named Serpent through a macro-enabled Word document that installs Chocolatey and Python via steganography. The operation uses Tor-based C2, a novel schtasks-based execution technique, and onio…